bindfs

Mount a directory with same permissions

$ sudo bindfs [path/to/directory] [path/to/mount_point]

$ sudo bindfs --map=[user1]/[user2] [path/to/directory] [path/to/mount_point]

$ sudo umount [path/to/mount_point]

bindfs [options] <source> <mountpoint>

-h, --help
    Display help and exit

-V, --version
    Output version information

-o, --option=NAME[=VALUE]
    FUSE options (e.g., -o allow_other)

-u UID/PUID, --force-user[=UID]
    Force all files to UID (PUID=preserve original)

-g GID/PGID, --force-group[=GID]
    Force all files to GID (PGID=preserve original)

--map=from/to[:from/to]...
    Map UIDs/GIDs (e.g., --map=0/1000)

--perms=MODE
    Permission mask for lookup (e.g., 0755)

--create-mode=MODE
    Mask for new files/directories

--create-with-perms=MODE
    Exact perms for new files/dirs

--chown-mode=MODE
    Mask after chown operations

--chmod-mode=MODE
    Mask after chmod operations

--mirror=PATH
    Mirror subdirectory structure

-r, --read-only
    Mount read-only

--no-fallback-uidgid
    Fail if mapping unavailable

--preserve-mtime
    Preserve modification times

--xattr-uid=UID
    UID for xattr operations

--remap-gid-up=GID_LIST
    Remap supplemental GIDs upward

--remap-gid-down=GID_LIST
    Remap supplemental GIDs downward

bindfs is a FUSE-based filesystem that enables mounting a directory (source) to another location (mountpoint) while customizing file attributes such as ownership, permissions, and access controls. Unlike traditional mount --bind, which copies the exact filesystem view, bindfs allows remapping UIDs/GIDs, setting permission masks, and altering create/chown/chmod behaviors on the fly.

This makes it ideal for scenarios like running services under restricted users while accessing root-owned files, creating sandboxed environments with modified privileges, or exposing directories with adjusted readability to web servers or containers. For example, map root (UID 0) to a non-privileged user for safe access, or force all files to appear world-readable.

Key features include UID/GID mapping (single or ranged), permission bitmasks for lookup/create/chown/chmod operations, mirroring subdirectories, preserving mtimes, and FUSE option passthrough. It supports read-only mounts and optional fallback to real UID/GID on failures. bindfs runs as a userspace daemon, leveraging the FUSE kernel module for transparent integration.

Performance has some overhead due to userspace operation but is suitable for most non-I/O-intensive uses. It requires root for privileged mounts or user namespaces/FUSE setup for unprivileged operation. Widely used in containerization, chroots, and development workflows.

Requires FUSE kernel module and libfuse; userspace overhead impacts performance on high-I/O workloads. Unprivileged mounts need user namespaces or CAP_SYS_ADMIN. Potential security risks if misconfigured (e.g., exposing sensitive files). Not a full filesystem; relies on underlying source FS capabilities.

Map root to user 1000: bindfs --map=0/1000 /root /mnt/root
Force permissions: bindfs -u 1000 -g 1000 --perms=0777 ~/shared /mnt/shared
Read-only web access: bindfs -r --create-mode=0644 /var/www /srv/www

Use fusermount -u mountpoint or umount mountpoint. Lazy unmount with -l if busy.

Developed by Berny Cantin starting in 2008 as a FUSE utility for flexible bind mounts. Initial release addressed limitations in standard bindfs for permission overrides. Evolved to support FUSE2/FUSE3; active maintenance with versions up to 1.17.x (2023), adding gid remapping and better xattr support.

mount(8), fusermount(1), fuse(8)